New York State continues to strengthen cybersecurity regulations for financial institutions. New amendments to the Cybersecurity Regulation enacted in 2017 strengthen the regulation and add new security obligations. As Hunton Andrews Kurth summarizes it, “The new amendments strengthen the initial framework and require NYDFS-regulated entities to adhere to a number of additional prescriptive data security requirements, including adopting controls to prevent unauthorized access to information systems, conducting more regular risk assessments, maintaining robust incident response planning procedures, and adhering to updated notification requirements, such as the new requirement to report ransomware extortion payments to NYDFS within 24 hours of the payment.”
Of note, the new reporting requirements take effect on December 1, 2023, while other requirements go into effect later.
More information can be found on the NYDFS Cybersecurity Resource Center website. Training sessions provided by NYDFS begin on November 15; the schedule is on the resource center website.